Privacy Policy

1. Who is the Controller?

ZEOUR LTD is the controller of your personal data processed via the Feedback Portal. You can contact us atprivacy@zeour.co.uk.

2. What Personal Data We Collect

• Profile and contact details you provide: name, email address, company name, role, region, and any other fields included in the feedback form.
• Feedback content and metrics: qualitative responses and quantitative scores such as CSAT, NPS, CES, Likert‑scale answers, and other survey answers.
• Testimonial information (optional): name, LinkedIn URL, testimonial text, image/photo you upload, and explicit consent choices.
• Award/prize opt‑in information (optional): opt‑in status and contact email for prize communications.
• Technical and security data: IP address, user agent, timestamps, CSRF tokens, rate-limit counters, and system event logs (e.g., login, logout, DSAR attempts).
• Audit metadata: hashed versions of respondent emails, consent records, alert triggers (e.g., promoter/detractor notifications), and admin actions stored in our audit log.
• Cookies and similar technologies: see our Cookie Policy for details.
• Bot-protection telemetry: when you enable optional bot-protection cookies, Cloudflare Turnstile or hCaptcha receive the minimal data needed to issue a token (IP, user agent, widget response).
• Admin account data (for authorized users only): email, name, role, password hash (never the plaintext password), session tokens.

3. How We Collect Data

• Directly from you when you fill out our forms and submit feedback.
• Automatically through your device, browser, and our application security features (e.g., IP, user agent, CSRF protection).
• Uploads are transferred directly to cloud object storage (e.g., AWS S3) via a pre‑signed upload flow; we store the resulting file URL with your submission.
• Files are automatically queued for malware scanning with status metadata (pending, safe, quarantined). Suspicious uploads may be blocked or removed.

4. Purposes and Legal Bases

• Provide and improve our services (process feedback, analyze CSAT/NPS/CES, enhance features) — legitimate interests (Art. 6(1)(f)).
• Publish testimonials, including your name, role, company, LinkedIn, and photo — consent (Art. 6(1)(a)). You can withdraw at any time.
• Run prize draws/awards and contact winners — consent (Art. 6(1)(a)). You can opt out at any time.
• Security, fraud prevention, and abuse detection (e.g., CSRF tokens, IP/user agent logging, rate limiting) — legitimate interests (Art. 6(1)(f)).
• Admin authentication and access control — contract/legitimate interests (Art. 6(1)(b)/(f)).
• Security and anti-abuse (bot challenges, rate limiting, hashed identifiers, audit logs) — legitimate interests (Art. 6(1)(f)).
• Analytics/marketing cookies (if enabled) — consent (Art. 6(1)(a)). See the Cookie Policy.
• Legal obligations (e.g., record‑keeping, responding to lawful requests) — legal obligation (Art. 6(1)(c)).

5. Sharing and Recipients

• Cloud infrastructure and storage providers (e.g., object storage for uploads) and service providers that help us operate the Service.
• Email delivery providers for notifications (e.g., alerts about promoter NPS or testimonial consents) where configured.
• Authorized personnel within ZEOUR who require access to administer forms, review submissions, or provide support.
• Bot protection providers (Cloudflare Turnstile or hCaptcha) when you opt in to run those widgets.
• Public audiences only when you explicitly consent to publish a testimonial.
• Regulators, authorities, or legal counsel where required by law or to protect rights.

6. International Data Transfers

If your data is transferred outside the UK/EEA, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or other approved transfer mechanisms, and assess the level of protection provided by the destination country and provider.

7. Retention

• Feedback submissions: kept for the minimum period necessary for analysis and business purposes, then either anonymized or deleted.
• Testimonials: retained until consent is withdrawn or content is no longer relevant.
• Award/prize contact data: retained only while the promotion is active or until you opt out.
• Security logs (IP/user agent/rate limiting): short‑term retention sufficient for audit and abuse prevention.
• Audit and bot-challenge logs: typically retained up to 90 days unless we need them longer to investigate abuse.
• Cookies and tokens: see the Cookie Policy (e.g., `auth-token` ~12h, `csrf-token` session, `cookie-consent` up to 12 months, `sidebar_state` ~7 days).

8. Your Rights

• Access your data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase data in certain circumstances (right to be forgotten).
• Restrict or object to certain processing, including profiling based on legitimate interests.
• Data portability, where applicable.
• Withdraw consent at any time (e.g., for testimonials or award contact) without affecting prior lawful processing.
• Lodge a complaint with your data protection authority (in the UK: the ICO).

To exercise your rights, contact privacy@zeour.co.uk. We may request information to verify your identity before responding. We aim to respond within one month. If you prefer not to enable our CAPTCHA for self-service requests, you can always reach us at this address.

9. Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

10. Automated Decision‑Making

We do not use personal data submitted via the Feedback Portal for automated decision‑making that produces legal or similarly significant effects.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service. Please review this page periodically.

12. Contact

Data protection contact: privacy@zeour.co.uk